Internal control and risk management

The aim of Orexo’s risk management systems and processes is to ensure that the shareholders can have the utmost confidence in the financial operation and presented reports, including the information given in this Annual Report and all interim reports. Orexo has established a methodology for developing, implementing, driving and evaluating internal controls and risk management in respect of all parts of the company, including financial reporting.

This methodology conforms to internationally established standards in the industry and comprises a framework with five principal components: control environment, risk assessment, control activities, information and communication, and follow-up and evaluation.

Pursuant to the Swedish Companies Act, the Board of Directors is responsible for the internal control and governance of the company. To maintain and develop a functional control environment, the Board has implemented a process of risk mapping and established a number of basic control documents and procedures that are of importance to financial reporting. These include the formal work plan for the Board of Directors and the terms of reference for the President, which are reviewed and approved annually by the Board.

In addition, the control environment is continuously updated and secured by means of continuous monitoring and regular evaluations of risk profiles within various functions. Responsibility for the daily work of maintaining the control environment is primarily incumbent on the President. He reports regularly to the Board of Directors and the Audit Committee pursuant to established procedures. In addition, the Board also receives regular reports directly from the company’s auditor. Company managers have defined authorities, control functions and responsibilities within their respective areas for financial and internal controls.

Orexo regularly conducts evaluations of financial risks and other risks that may impact financial reporting. These reviews extend to all parts of the company and are carried out to ensure that there is no significant risk of errors occurring in financial reporting. There are several areas where the control of financial information is particularly important, and Orexo has established a risk map that highlights a number of key potential risks in the financial reporting system.

The company continuously monitors and evaluates these areas and regularly examines other areas in order to create a set of control procedures that will minimize the risks and impact in these areas. In addition, new and existing risks are identified, addressed and regulated through a process of discussion in forums such as the Management Team, The Board of Directors and Audit Committee.

In light of the risks identified on the risk map, and the continuous monitoring of the methods used to manage financial information, Orexo has developed control activities that ensure good internal control of all aspects of financial reporting. A number of policy documents and procedures have been applied throughout the year to manage reporting and accounting. Standard procedures, attestation systems and the risk map are examples of such policy documents.

The finance and controller functions are responsible for ensuring that financial reporting is correct, complete and timely. Orexo strives to continually improve its internal control systems and has, on occasion, engaged external specialists when validating these controls.

Orexo is a listed company in one of the most regulated markets in the world – healthcare. In addition to the highly exacting requirements that Nasdaq Stockholm and the supervisory authorities impose on the scope and accuracy of information, Orexo has internal control functions for information and communication designed to ensure that correct financial and other corporate information is communicated to employees and other stakeholders.

The Board receives monthly reports concerning financial performance, commercial performance and the status of Orexo’s development projects and other relevant information.

The corporate intranet provides detailed information about applicable procedures in all parts of the company and describes the control functions and how they are implemented.

The security of all information that may affect the market value of the company and mechanisms to ensure that such information is communicated in a correct and timely fashion are the cornerstones of the company’s undertaking as a listed company. These two factors, and the procedures for managing them, ensure that financial reports are received by all players in the financial market at the same time, and that they provide an accurate presentation of the company’s financial position and performance. These procedures are continuously updated to secure compliance with the EU Market Abuse Regulation (MAR).

Orexo’s management conducts monthly performance follow- up, with an analysis of deviations from the budget and plans. Orexo’s controller function also conducts monthly controls,evaluations and follow-ups of financial reporting. Since a large part of the company’s product development is done in project form, these are continuously monitored from a financial point of view. Routines and reporting is implemented to secure continuous follow-up on all aspects of the Zubsolv® business, e.g. manufacturing, sales performance, wholesaler orders, sales force performance, inventory levels etc. The Board of Directors and the Audit Committee review the Annual Report and interim reports prior to publication. The Audit Committee discusses special accounting policies, internal control framework, risks and other issues associated with the reports. The company’s external auditor also participates in these discussions.

Orexo has no separate internal audit function. The Board annually evaluates the need for such a function and, considering the size and structure of the company, has found no basis for establishing a separate internal audit function. The Board of Directors monitors the internal control over financial reporting through regular follow-ups by the Audit Committee and the Board.